Clbdriver.sys-rootkit wreaking MAJOR HAVOC

I have been working for a full week trying to untangle the mess caused by a trojan that found it's way onto my computer. Seems to be a new bundle of malware that makes it nearly impossible to restore my system.

Here is a synopsis of what it did to my homemade computer running XP sp2 with no antivirus and just a windows firewall (crazy? I confess) It happened right after I downloaded some pirated software so I am sure this is my just dessert.

As soon as the program installed I saw some strange messages pop up briefly talking about some other installation which, no doubt was the trojan.

Here are some of the things it did. It removed Task manager and disabled regedit and command prompt.

It changed settings so that my Start Menu no longer has a programs menu, my computer, my documents, my recent documents, control panel, search, run, or help.

It even removed the log off function so I can only shut down the computer, not change users.

It changed the password to the default administrator account and took away many administrator privileges from my own adminstrator account.

It made my C: and D: drives disappear from any window I could get to display my computer.

It disabled firefox.

I'm sure there are many other things we will discover in this thread but you can see already what a horror it is.

For anyone facing this unusual set of circumstances I discovered a way to start putting the pieces back together by rightclicking the start menu. This was the only spot on my desktop that could open a rightclick menu and it allowed me to open windows explorer and get started.

From there I began trying to run "read and run first" which I couldn't get far with.

I had to run RRT to get my task manager back(that's all it did).

I tried using Petter Nordahl-Hagen's Password/Registry Editor/Boot CD but it was unable to write to my NTFS file system because of some unsupported flags, so I am still unable to open the default adminstrator.

I ran SDFix which got me back Regedit. I changed some group poicy settings that got me back my C:drive in My Computer and I made some other settings changes I can't remember at the moment that got back most of my start menu items. Still no programs menu or log off button, even in TaskManager.

Tried to update Java but was restricted from doing so.

SDFix seems to have done the most good in removing a bunch of malware but then I ran Avenger and that's when I discovered the root kit.

As you can tell, most of the problems described above have been around awhile and have common solutions discussed in other threads, but this clbdriver.sys rootkit doesn't have much presence yet.

This is why I started this thread, since there's really not much info about it that I can find.

I am working on getting the SDFix log out of my computer and into this one I am working on now. I also plan to run HJT, but in the meantime perhaps you could help me get more info on what to do about this rootkit.

Here is what Avenger told me:

Hidden driver "clbdriver" found!
ImagePath:
\??\globalroot\systemroot\system32\drivers\vmdesched.sys
Driver disable failed!

Start Type: 1 (System)

Maybe that will help, if not let me know if there is anything besides HJT you want me to run and I will send my logs in a future post.

Thanks before we start.

Dean Levi.